Detecting and mitigating golden ticket attacks within a domain
Abstract
A system and methods for mitigating golden ticket attacks within a domain is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A system for mitigating golden ticket attacks within a domain, comprising:
a computing device comprising a memory and a processor;
an authentication object inspector comprising a first plurality of programming instructions stored in the memory which, when operating on the processor, causes the computing device to:
receive network traffic via a first network connection, the network traffic comprising a plurality of network packets, the plurality of network packets comprising at least a plurality of first authentication objects known to be generated by an identity provider associated with an authentication domain;
store the received network traffic in the time series database as a series of network traffic records;
store a record of each received first authentication object, with attached metadata comprising a timestamp of when each first authentication object was received, in a time-series database;
calculate a cryptographic hash of each first authentication object using a hashing engine;
store the cryptographic hash of each first authentication object in a database of hashes for the identity provider;
receive a request for access to a network resource within the authentication domain accompanied by a second authentication object;
calculate a cryptographic hash of the second authentication object using the hashing engine;
compare the cryptographic hash of the second authentication object with the cryptographic hashes of the first authentication objects stored in the database of hashes to determine whether the cryptographic hash of the second authentication object already exists in the database of hashes;
where the cryptographic hash of the second authentication object does not exist in the database of hashes:
analyze a plurality of the stored first authentication objects to determine a plurality of compromised accounts;
analyze a plurality of the stored network traffic records to determine a plurality of access paths;
generate an incident report comprising results of the analyses of the plurality of stored first authentication objects and the plurality of stored network traffic records;
transmit the incident report via a second network connection that is not connected to, or visible to, to the identity provider; and
the hashing engine comprising a second plurality of programming instructions stored in the memory which, when operating on the processor, causes the computing device to:
receive authentication objects from the authentication object inspector;
calculate cryptographic hashes for authentication objects received by performing a plurality of calculations and transformations on each authentication object received; and
return the cryptographic hashes of authentication objects received to the authentication object inspector.
2. The system of claim 1 , wherein the authentication object inspector is operated by the identity provider.
3. The system of claim 1 , wherein the authentication object inspector is operated by a client device communicating with the identity provider over a network.
4. A method for mitigating golden ticket attacks within a domain, comprising the steps of:
using an authentication object inspector operating on a computing device comprising a memory and a processor to:
receive network traffic via a first network connection, the network traffic comprising a plurality of network packets, the plurality of network packets comprising at least a plurality of first authentication objects known to be generated by an identity provider associated with an authentication domain;
store the received network traffic in the time series database as a series of network traffic records;
store a record of each received first authentication object, with attached metadata comprising a timestamp of when each first authentication object was received, in a time-series database;
calculate a cryptographic hash of each first authentication object using a hashing engine;
store the cryptographic hash of each first authentication object in a database of hashes for the identity provider;
receive a request for access to a network resource within the authentication domain accompanied by a second authentication object;
calculate a cryptographic hash of the second authentication object using the hashing engine;
compare the cryptographic hash of the second authentication object with the cryptographic hashes of the first authentication objects stored in the database of hashes to determine whether the cryptographic hash of the second authentication object already exists in the database of hashes;
where the cryptographic hash of the second authentication object does not exist in the database of hashes:
analyze a plurality of the stored first authentication objects to determine a plurality of compromised accounts;
analyze a plurality of the stored network traffic records to determine a plurality of access paths;
generate an incident report comprising results of the analyses of the plurality of stored first authentication objects and the plurality of stored network traffic records;
transmit the incident report via a second network connection that is not connected to, or visible to, to the identity provider; and
using the hashing engine operating on the computing device to:
receive authentication objects from the authentication object inspector;
calculate cryptographic hashes for authentication objects received by performing plurality of calculations and transformations on each authentication object received; and
return the cryptographic hashes of authentication objects received to the authentication object inspector.
5. The method of claim 4 , wherein the authentication object inspector is operated by the identity provider.
6. The method of claim 4 , wherein the authentication object inspector is operated by a client device communicating with the identity provider over a network.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.